Malware Analysis Report

2025-03-15 08:22

Sample ID 241021-acrx4sxhrc
Target b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N
SHA256 b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993
Tags
upx discovery ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993

Threat Level: Likely malicious

The file b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N was found to be: Likely malicious.

Malicious Activity Summary

upx discovery ransomware

Renames multiple (4311) files with added filename extension

Renames multiple (2906) files with added filename extension

UPX packed file

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-21 00:04

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-21 00:04

Reported

2024-10-21 00:06

Platform

win7-20241010-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe"

Signatures

Renames multiple (2906) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\bckgzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Management.Instrumentation.Resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\Beulah.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Tongatapu.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\contbig.gif.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Edmonton.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Indiana\Vevay.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.core_2.3.0.v20131211-1531.jar.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-coredump_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox_1.0.500.v20131211-1531.jar.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\Riyadh.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\dcpr.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+11.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Palau.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.apache.lucene.core_3.5.0.v20120725-1805.jar.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jre7\lib\ext\jaccess.jar.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\ChkrRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mac.css.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Europe\Zaporozhye.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaireMCE.png.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\setNetworkClientCP.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-api-progress_zh_CN.jar.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\de-DE\ChkrRes.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Mozilla Firefox\uninstall\helper.exe.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\oskpred\oskpredbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbase.xml.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\ro-RO\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyNotesBackground.wmv.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\zip.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_ja_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\SystemV\PST8.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.ui.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\chkrzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.zh_CN_5.5.0.165303.jar.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jetty.io_8.1.14.v20131031.jar.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jre7\lib\deploy\messages_zh_HK.properties.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\NextMenuButtonIcon.png.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Sao_Paulo.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\it-IT\tabskb.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\nav_uparrow.png.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\management.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\Monrovia.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\MSInfo\de-DE\msinfo32.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\ij.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Miquelon.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\Panel_Mask_PAL.wmv.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.properties.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\ink\bg-BG\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\Stationery\grid_(cm).wmf.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Maputo.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Guadalcanal.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_zh_4.4.0.v20140623020002.jar.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\shvlzm.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\currency.data.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe

"C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe"

Network

N/A

Files

memory/2032-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2039016743-699959520-214465309-1000\desktop.ini.tmp

MD5 027d4b6127a062166ca59e81e25b321f
SHA1 6d2693587ac45885fff374befbd365b4bf80a5a7
SHA256 f0ff7aca426376663fda08fecc041fed6c536f6b600b35f9a8bd94559caa1dbe
SHA512 33f3a6e5b175fc34370132563c9bad8ac432cf686d68e90391b9b4a1d04993cec890f11992529e291e972345af31812d3a4cd864c96db8d94284f5c6f84ea39d

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml.tmp

MD5 e03d997ed931c867287b2817c2c6f7e7
SHA1 128ae1c3207ff5b0342acd6da2cfa74c98b8f437
SHA256 5c24077b463756200b4a67710f6346ead6d6aea04300bbb6c92bbd9f5d0b9d27
SHA512 a2e2520296507651b3f7d44b31ccc9f650e864fd43045bac5e24fb84110b85d7ab34e33b22b5e001c9f788c6d3228dfd72ba832f74bb8fdfdc2ca859dcc6a2d1

memory/2032-70-0x0000000000400000-0x000000000040B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-21 00:04

Reported

2024-10-21 00:06

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe"

Signatures

Renames multiple (4311) files with added filename extension

ransomware

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Encoding.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019R_Retail-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Extensions.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\cmm\PYCC.pf.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Quic.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Internet Explorer\it-IT\iexplore.exe.mui.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\jawt.h.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\WindowsBase.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Input.Manipulations.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-filesystem-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\Microsoft.NETCore.App.runtimeconfig.json.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.VisualBasic.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\Invite or Link.one.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Net.WebHeaderCollection.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremDemoR_BypassTrial365-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\dxil.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Personal2019R_Retail-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART1.BDR.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\WindowsFormsIntegration.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\ReachFramework.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Candara.xml.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Grace-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green.xml.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019VL_KMS_Client_AE-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Private.Xml.Linq.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\PresentationUI.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\sound.properties.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalR_Trial-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.VisualBasic.Core.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationProvider.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Drawing.Common.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Ion.thmx.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\POWERPNT_F_COL.HXK.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\7-Zip\Lang\ms.txt.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationClientSideProviders.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\asm.md.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O17EnterpriseVL_Bypass30-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_KMS_Client-ppd.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_KMS_Client-ul.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-heap-l1-1-0.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationNative_cor3.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\j2pcsc.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\Professional2019DemoR_BypassTrial180-ul-oob.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ul-phn.xrm-ms.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Xaml.resources.dll.tmp C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe

"C:\Users\Admin\AppData\Local\Temp\b4bf9b9ea545a4310fe50d9bafece13e98197d97e8abb2e3ff54cf9b83de2993N.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/3584-0-0x0000000000400000-0x000000000040B000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-2437139445-1151884604-3026847218-1000\desktop.ini.tmp

MD5 69731ff4bca08bdb18f55cd08aaaedc9
SHA1 cb3804c7d3bd43f04b21a9f4ca6eeefa105ffd5c
SHA256 ff0724649b214df215151a4abe47ccec4926d89d58c5b0e732e40c8471278773
SHA512 0e2047467bbddd3d82502e2d4125b2a7daa5bc2b7326749d64f66a1020140904be629a9633b8221a0911e38a28ea1f1139d4490623f022c420857551ccad58af

C:\Program Files\7-Zip\7-zip.dll.tmp

MD5 9ee72824b105c256c7016f65c95b1ebf
SHA1 f94341b50055e4ff421d727ee8aee164d1105af0
SHA256 2e53f6816c72ebc1881a4fe6f128eb49abaefacd219d8b1c3a02dd11e6f5495f
SHA512 f01e4dbdde172d9ab02398c06227e0975a5600784613fe9d67b4cc6f85e0705539b64a285277e88618bfc2ac96210dd8f59f6ab0346a2d705b1d6ca0d78b1c67

memory/3584-662-0x0000000000400000-0x000000000040B000-memory.dmp